@gotgenes/pi-permission-system 3.11.0 → 4.0.0

package/schemas/permissions.schema.json

@@ -2,8 +2,8 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://raw.githubusercontent.com/gotgenes/pi-permission-system/main/schemas/permissions.schema.json",
   "title": "PI Permission System Configuration",
-  "description": "Unified config file combining runtime knobs and permission policy for pi-permission-system.",
-  "markdownDescription": "Unified config file combining runtime knobs and permission policy for [pi-permission-system](https://github.com/gotgenes/pi-permission-system).\n\nPlace at `~/.pi/agent/extensions/pi-permission-system/config.json` (global) or `<project>/.pi/extensions/pi-permission-system/config.json` (project).",
+  "description": "Unified config file combining runtime knobs and flat permission policy for pi-permission-system.",
+  "markdownDescription": "Unified config file combining runtime knobs and flat permission policy for [pi-permission-system](https://github.com/gotgenes/pi-permission-system).\n\nPlace at `~/.pi/agent/extensions/pi-permission-system/config.json` (global) or `<project>/.pi/extensions/pi-permission-system/config.json` (project).",
   "type": "object",
   "additionalProperties": false,
   "properties": {
@@ -29,111 +29,43 @@
       "type": "boolean",
       "default": false
     },
-    "defaultPolicy": {
-      "description": "Fallback permission state per category when no specific rule matches.",
-      "markdownDescription": "Fallback permission state per category when no specific rule matches.\n\nAll fields default to `\"ask\"` when omitted.",
+    "permission": {
+      "description": "Flat permission policy. Each key is a surface name; values are a PermissionState string (catch-all) or a pattern→action map.",
+      "markdownDescription": "Flat permission policy.\n\nEach top-level key is a surface name:\n- `\"*\"` — universal fallback (replaces `defaultPolicy.tools` from the legacy format)\n- Tool names (`read`, `write`, `bash`, `mcp`, `skill`, `external_directory`, etc.)\n\nA **string** value is shorthand for `{ \"*\": action }` (surface-level catch-all).\nAn **object** value maps wildcard patterns to actions — last matching pattern wins.\n\n**Merge order (lowest → highest precedence):** global → project → per-agent frontmatter.",
       "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "tools": {
-          "description": "Default permission for registered tools when no exact-name rule matches in the tools map.",
-          "markdownDescription": "Default permission for registered tools when no exact-name rule matches in the `tools` map.",
-          "$ref": "#/$defs/permissionState",
-          "default": "ask"
-        },
-        "bash": {
-          "description": "Default permission for bash commands when no pattern in the bash map matches.",
-          "markdownDescription": "Default permission for bash commands when no pattern in the `bash` map matches.",
-          "$ref": "#/$defs/permissionState",
-          "default": "ask"
-        },
-        "mcp": {
-          "description": "Default permission for MCP operations when no target pattern in the mcp map matches.",
-          "markdownDescription": "Default permission for MCP operations when no target pattern in the `mcp` map matches.",
-          "$ref": "#/$defs/permissionState",
-          "default": "ask"
-        },
-        "skills": {
-          "description": "Default permission for skill loading when no pattern in the skills map matches.",
-          "markdownDescription": "Default permission for skill loading when no pattern in the `skills` map matches.",
-          "$ref": "#/$defs/permissionState",
-          "default": "ask"
-        },
-        "special": {
-          "description": "Default permission for special checks (external_directory) when no explicit rule matches.",
-          "markdownDescription": "Default permission for special checks (`external_directory`) when no explicit rule matches.",
-          "$ref": "#/$defs/permissionState",
-          "default": "ask"
-        }
-      }
-    },
-    "tools": {
-      "description": "Exact-name permissions for registered tools. Use this map for the canonical Pi built-ins and any extension-provided or third-party tools.",
-      "markdownDescription": "Exact-name permissions for registered tools. Use this map for the canonical Pi built-ins (`read`, `write`, `edit`, `bash`, `grep`, `find`, `ls`) and any extension-provided or third-party tools.\n\nNo wildcards — keys must match the registered tool name exactly.",
-      "$ref": "#/$defs/permissionMap",
+      "propertyNames": {
+        "description": "A surface name or the universal fallback key '*'.",
+        "type": "string",
+        "minLength": 1
+      },
+      "additionalProperties": {
+        "oneOf": [
+          {
+            "$ref": "#/$defs/permissionState",
+            "description": "Catch-all shorthand: equivalent to { \"*\": action }."
+          },
+          {
+            "$ref": "#/$defs/permissionMap",
+            "description": "Pattern→action map for this surface."
+          }
+        ]
+      },
       "examples": [
         {
+          "*": "ask",
           "read": "allow",
           "write": "deny",
-          "edit": "ask",
-          "mcp": "allow"
+          "bash": {
+            "*": "ask",
+            "git status": "allow",
+            "git diff": "allow",
+            "git *": "ask"
+          },
+          "mcp": { "*": "ask", "mcp_status": "allow", "exa:*": "allow" },
+          "skill": { "*": "ask", "librarian": "allow" },
+          "external_directory": "ask"
         }
       ]
-    },
-    "bash": {
-      "description": "Wildcard pattern permissions for bash commands. Patterns use * globs matched against the full command string. Last matching rule wins.",
-      "markdownDescription": "Wildcard pattern permissions for bash commands. Patterns use `*` globs matched against the full command string.\n\n**Last matching rule wins** — put broad catch-all rules first and specific overrides after them.",
-      "$ref": "#/$defs/permissionMap",
-      "examples": [
-        {
-          "git status": "allow",
-          "git diff": "allow",
-          "git *": "ask",
-          "rm -rf *": "deny"
-        }
-      ]
-    },
-    "mcp": {
-      "description": "Pattern-based permissions for targets invoked through a registered mcp tool when available.",
-      "markdownDescription": "Pattern-based permissions for targets invoked through a registered `mcp` tool when available.\n\nTargets include server names (`myServer`), qualified tool names (`myServer:search`, `myServer_search`), and baseline operations (`mcp_status`, `mcp_list`, `mcp_connect`, `mcp_describe`, `mcp_search`).",
-      "$ref": "#/$defs/permissionMap",
-      "examples": [
-        {
-          "mcp_status": "allow",
-          "mcp_list": "allow",
-          "myServer:*": "ask",
-          "dangerousServer": "deny"
-        }
-      ]
-    },
-    "skills": {
-      "description": "Wildcard pattern permissions for skill names. Controls which skills can be loaded or read from disk.",
-      "markdownDescription": "Wildcard pattern permissions for skill names. Controls which skills can be loaded or read from disk.\n\nUse `\"*\": \"ask\"` to require confirmation for all skills, or `\"dangerous-*\": \"deny\"` to block a family of skills.",
-      "$ref": "#/$defs/permissionMap",
-      "examples": [
-        {
-          "*": "ask",
-          "dangerous-*": "deny"
-        }
-      ]
-    },
-    "special": {
-      "description": "Reserved permission checks for special runtime behaviors.",
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "external_directory": {
-          "description": "Enforces permission checks for path-bearing file tools (read, write, edit, find, grep, ls) when they target paths outside the active working directory.",
-          "markdownDescription": "Enforces permission checks for path-bearing file tools (`read`, `write`, `edit`, `find`, `grep`, `ls`) when they target paths outside the active working directory.\n\nEvaluated **before** the normal tool permission check — so `tools.read: \"allow\"` can permit ordinary reads while `external_directory: \"ask\"` still requires confirmation for paths outside `cwd`.",
-          "$ref": "#/$defs/permissionState"
-        },
-        "tool_call_limit": {
-          "description": "Deprecated and ignored. This key has no effect and should be removed from your config.",
-          "markdownDescription": "⚠️ **Deprecated and ignored.** This key has no effect and should be removed from your config.",
-          "deprecated": true,
-          "$ref": "#/$defs/permissionState"
-        }
-      }
     }
   },
   "$defs": {
@@ -155,8 +87,8 @@
       ]
     },
     "permissionMap": {
-      "description": "A map of name or wildcard patterns to permission states. Keys are matched against the relevant target (tool name, bash command, MCP target, or skill name).",
-      "markdownDescription": "A map of name or wildcard patterns to permission states.\n\nKeys are matched against the relevant target. Use `*` for wildcard matching. When multiple patterns match, the **last matching rule wins**.",
+      "description": "A map of wildcard patterns to permission states. Last matching pattern wins.",
+      "markdownDescription": "A map of wildcard patterns to permission states.\n\nUse `*` for wildcard matching. When multiple patterns match, the **last matching rule wins** — put broad catch-alls first and specific overrides after them.",
       "type": "object",
       "propertyNames": {
         "description": "A non-empty pattern string. Use * for wildcard matching.",

package/src/config-loader.ts

@@ -9,10 +9,10 @@ import {
   getLegacyProjectPolicyPath,
   getProjectConfigPath,
 } from "./config-paths";
-import type { PermissionDefaultPolicy, PermissionState } from "./types";
+import type { FlatPermissionConfig } from "./types";
 
 /**
- * Unified config shape combining runtime knobs and policy in one object.
+ * Unified config shape combining runtime knobs and flat permission policy.
  * All fields are optional so partial configs (project-only, global-only) work.
  */
 export interface UnifiedPermissionConfig {
@@ -21,13 +21,8 @@ export interface UnifiedPermissionConfig {
   permissionReviewLog?: boolean;
   yoloMode?: boolean;
 
-  // Policy
-  defaultPolicy?: Partial<PermissionDefaultPolicy>;
-  tools?: Record<string, PermissionState>;
-  bash?: Record<string, PermissionState>;
-  mcp?: Record<string, PermissionState>;
-  skills?: Record<string, PermissionState>;
-  special?: Record<string, PermissionState>;
+  // Flat permission policy
+  permission?: FlatPermissionConfig;
 }
 
 export interface UnifiedConfigLoadResult {
@@ -35,23 +30,6 @@ export interface UnifiedConfigLoadResult {
   issues: string[];
 }
 
-const DEPRECATED_SPECIAL_KEYS: ReadonlySet<string> = new Set([
-  "doom_loop",
-  "tool_call_limit",
-]);
-
-const BUILT_IN_TOOL_PERMISSION_NAMES = new Set([
-  "bash",
-  "read",
-  "write",
-  "edit",
-  "grep",
-  "find",
-  "ls",
-]);
-
-const SPECIAL_PERMISSION_KEYS = new Set(["external_directory"]);
-
 export function stripJsonComments(input: string): string {
   let output = "";
   let inString = false;
@@ -124,51 +102,86 @@ export function stripJsonComments(input: string): string {
   return output;
 }
 
-function normalizePartialPolicy(
-  value: unknown,
-): Partial<PermissionDefaultPolicy> | undefined {
-  const record = toRecord(value);
-  const normalized: Partial<PermissionDefaultPolicy> = {};
-  let hasAny = false;
-
-  for (const key of ["tools", "bash", "mcp", "skills", "special"] as const) {
-    if (isPermissionState(record[key])) {
-      normalized[key] = record[key] as PermissionState;
-      hasAny = true;
-    }
+function normalizeOptionalBoolean(value: unknown): boolean | undefined {
+  if (typeof value === "boolean") {
+    return value;
   }
-
-  return hasAny ? normalized : undefined;
+  return undefined;
 }
 
-function normalizePermissionRecord(
+/**
+ * Normalize a raw `permission` value from parsed JSON into a FlatPermissionConfig.
+ * Drops non-object top-level values, invalid PermissionState strings, and
+ * invalid action values inside object maps.
+ */
+function normalizeFlatPermissionValue(
   value: unknown,
-): Record<string, PermissionState> | undefined {
-  const record = toRecord(value);
-  const normalized: Record<string, PermissionState> = {};
+): FlatPermissionConfig | undefined {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return undefined;
+  }
+  const record = value as Record<string, unknown>;
+  const normalized: FlatPermissionConfig = {};
   let hasAny = false;
 
-  for (const [key, state] of Object.entries(record)) {
-    if (isPermissionState(state)) {
-      normalized[key] = state;
-      hasAny = true;
+  for (const [key, val] of Object.entries(record)) {
+    if (typeof val === "string") {
+      if (isPermissionState(val)) {
+        normalized[key] = val;
+        hasAny = true;
+      }
+    } else if (typeof val === "object" && val !== null && !Array.isArray(val)) {
+      const map: Record<string, import("./types").PermissionState> = {};
+      let mapHasAny = false;
+      for (const [pattern, action] of Object.entries(
+        val as Record<string, unknown>,
+      )) {
+        if (isPermissionState(action)) {
+          map[pattern] = action;
+          mapHasAny = true;
+        }
+      }
+      if (mapHasAny) {
+        normalized[key] = map;
+        hasAny = true;
+      }
     }
   }
 
   return hasAny ? normalized : undefined;
 }
 
-function normalizeOptionalBoolean(value: unknown): boolean | undefined {
-  if (typeof value === "boolean") {
-    return value;
+/**
+ * Deep-shallow merge two flat permission configs.
+ * - Both objects for same key → shallow-merge the pattern maps.
+ * - Otherwise → override replaces base.
+ */
+function mergeFlatPermissions(
+  base: FlatPermissionConfig,
+  override: FlatPermissionConfig,
+): FlatPermissionConfig {
+  const merged: FlatPermissionConfig = { ...base };
+  for (const [key, value] of Object.entries(override)) {
+    const baseVal = merged[key];
+    if (
+      typeof baseVal === "object" &&
+      baseVal !== null &&
+      typeof value === "object" &&
+      value !== null
+    ) {
+      merged[key] = {
+        ...(baseVal as Record<string, import("./types").PermissionState>),
+        ...(value as Record<string, import("./types").PermissionState>),
+      };
+    } else {
+      merged[key] = value;
+    }
   }
-  return undefined;
+  return merged;
 }
 
 /**
  * Normalize raw parsed JSON into the unified config shape.
- * Handles top-level shorthand keys (e.g. `bash: "allow"` at root)
- * and deprecated special keys, collecting issues along the way.
  */
 export function normalizeUnifiedConfig(raw: unknown): {
   config: UnifiedPermissionConfig;
@@ -176,7 +189,6 @@ export function normalizeUnifiedConfig(raw: unknown): {
 } {
   const record = toRecord(raw);
   const issues: string[] = [];
-
   const config: UnifiedPermissionConfig = {};
 
   // Runtime knobs
@@ -192,60 +204,18 @@ export function normalizeUnifiedConfig(raw: unknown): {
   const yoloMode = normalizeOptionalBoolean(record.yoloMode);
   if (yoloMode !== undefined) config.yoloMode = yoloMode;
 
-  // Policy
-  const defaultPolicy = normalizePartialPolicy(record.defaultPolicy);
-  if (defaultPolicy) config.defaultPolicy = defaultPolicy;
-
-  const tools = normalizePermissionRecord(record.tools);
-  if (tools) config.tools = tools;
-
-  const bash = normalizePermissionRecord(record.bash);
-  if (bash) config.bash = bash;
-
-  const mcp = normalizePermissionRecord(record.mcp);
-  if (mcp) config.mcp = mcp;
-
-  const skills = normalizePermissionRecord(record.skills);
-  if (skills) config.skills = skills;
-
-  const special = normalizePermissionRecord(record.special);
-  if (special) config.special = special;
-
-  // Detect deprecated special keys
-  const rawSpecial = toRecord(record.special);
-  for (const key of DEPRECATED_SPECIAL_KEYS) {
-    if (key in rawSpecial) {
-      issues.push(
-        `special.${key} is deprecated and ignored — remove it from your config file.`,
-      );
-      if (config.special) {
-        delete config.special[key];
-        if (Object.keys(config.special).length === 0) {
-          delete config.special;
-        }
-      }
-    }
-  }
-
-  // Handle top-level shorthand keys (e.g. `bash: "allow"` at root level)
-  for (const [key, value] of Object.entries(record)) {
-    if (!isPermissionState(value)) continue;
-
-    if (BUILT_IN_TOOL_PERMISSION_NAMES.has(key)) {
-      config.tools = { ...(config.tools || {}), [key]: value };
-    } else if (SPECIAL_PERMISSION_KEYS.has(key)) {
-      config.special = { ...(config.special || {}), [key]: value };
-    }
-  }
+  // Flat permission policy
+  const permission = normalizeFlatPermissionValue(record.permission);
+  if (permission !== undefined) config.permission = permission;
 
   return { config, issues };
 }
 
 /**
- * Merge two unified configs. Object-shaped fields (defaultPolicy, tools, bash,
- * mcp, skills, special) are shallow-merged (override wins per-key). Scalar
- * fields (debugLog, permissionReviewLog, yoloMode) are replaced when present
- * in the override.
+ * Merge two unified configs.
+ * - `permission` is deep-shallow merged (surface-level object maps are shallow-merged).
+ * - Scalar fields (debugLog, permissionReviewLog, yoloMode) are replaced when
+ *   present in the override.
  */
 export function mergeUnifiedConfigs(
   base: UnifiedPermissionConfig,
@@ -261,20 +231,15 @@ export function mergeUnifiedConfigs(
     }
   }
 
-  // Object fields: shallow spread merge
-  for (const key of [
-    "defaultPolicy",
-    "tools",
-    "bash",
-    "mcp",
-    "skills",
-    "special",
-  ] as const) {
-    const baseVal = base[key];
-    const overrideVal = override[key];
-    if (baseVal || overrideVal) {
-      merged[key] = { ...(baseVal || {}), ...(overrideVal || {}) } as never;
-    }
+  // Permission: deep-shallow merge
+  const basePerm = base.permission;
+  const overridePerm = override.permission;
+  if (basePerm && overridePerm) {
+    merged.permission = mergeFlatPermissions(basePerm, overridePerm);
+  } else if (basePerm) {
+    merged.permission = basePerm;
+  } else if (overridePerm) {
+    merged.permission = overridePerm;
   }
 
   return merged;
@@ -297,6 +262,10 @@ export interface MergedConfigResult {
  * 3. New global config
  * 4. Legacy project policy (if present)
  * 5. New project config — highest precedence
+ *
+ * Legacy files are detected and warned about. Their content is parsed with the
+ * flat-format parser — legacy-format keys (defaultPolicy, tools, bash, etc.)
+ * are not translated and contribute no permission rules.
  */
 export function loadAndMergeConfigs(
   agentDir: string,

package/src/defaults.ts

@@ -1,66 +1,10 @@
-import type { PermissionDefaultPolicy, PermissionState } from "./types";
-
-/** Hardcoded fallback — every surface defaults to "ask" (least privilege). */
-export const DEFAULT_POLICY: PermissionDefaultPolicy = {
-  tools: "ask",
-  bash: "ask",
-  mcp: "ask",
-  skills: "ask",
-  special: "ask",
-};
-
-/**
- * Map a surface name used in evaluate() to the corresponding
- * defaultPolicy key. Surfaces not listed here fall through to
- * either "tools" or "special" via getSurfaceDefault().
- */
-const SURFACE_TO_DEFAULT_KEY: Record<string, keyof PermissionDefaultPolicy> = {
-  bash: "bash",
-  mcp: "mcp",
-  skill: "skills",
-};
-
 /**
- * Resolve the default action for a surface, consulting merged defaults.
+ * @deprecated This module has been removed as part of #66 (flat permission
+ * config format). It is kept as an empty stub to avoid breaking any lingering
+ * references during the migration; delete it in a follow-up cleanup.
  *
- * - "bash", "mcp", "skill" → dedicated defaultPolicy key
- * - special-key surfaces (e.g. "external_directory") → defaults.special
- * - everything else (tool-name surfaces) → defaults.tools
- *
- * @deprecated Default policy is now synthesized into the composed ruleset via
- * `synthesizeDefaults()` in `src/synthesize.ts`. Call-sites that previously
- * consulted this function can evaluate against the composed ruleset instead.
- * This function is kept for backward compatibility and will be removed in a
- * future cleanup.
+ * The universal default is now expressed as permission["*"] in the flat config.
+ * mergeDefaults() and getSurfaceDefault() have no replacement.
  */
-export function getSurfaceDefault(
-  surface: string,
-  defaults: PermissionDefaultPolicy,
-  specialKeys: ReadonlySet<string>,
-): PermissionState {
-  const key = SURFACE_TO_DEFAULT_KEY[surface];
-  if (key) return defaults[key];
-  if (specialKeys.has(surface)) return defaults.special;
-  return defaults.tools;
-}
-
-/**
- * Merge zero or more partial default policies on top of DEFAULT_POLICY.
- * Later partials override earlier ones (shallow spread per key).
- */
-export function mergeDefaults(
-  ...partials: ReadonlyArray<Partial<PermissionDefaultPolicy> | undefined>
-): PermissionDefaultPolicy {
-  const merged: PermissionDefaultPolicy = { ...DEFAULT_POLICY };
-
-  for (const partial of partials) {
-    if (!partial) continue;
-    if (partial.tools) merged.tools = partial.tools;
-    if (partial.bash) merged.bash = partial.bash;
-    if (partial.mcp) merged.mcp = partial.mcp;
-    if (partial.skills) merged.skills = partial.skills;
-    if (partial.special) merged.special = partial.special;
-  }
 
-  return merged;
-}
+export {};

package/src/extension-config.ts

@@ -130,10 +130,9 @@ export function loadPermissionSystemConfig(
     }
     if (misplacedKeys.length > 0) {
       warnings.push(
-        `config.json contains permission-rule keys that are ignored here: ${misplacedKeys.join(", ")}.\n` +
-          "Permission rules belong in ~/.pi/agent/pi-permissions.jsonc, " +
-          "<project>/.pi/agent/pi-permissions.jsonc, or per-agent frontmatter.\n" +
-          "See config/config.example.json for the keys config.json supports.",
+        `config.json contains legacy permission-rule keys that are ignored: ${misplacedKeys.join(", ")}.\n` +
+          'Use the flat permission format: { "permission": { "*": "ask", "read": "allow", ... } }.\n' +
+          "See config/config.example.json for the new format.",
       );
     }
 

package/src/normalize.ts

@@ -1,70 +1,32 @@
+import { isPermissionState } from "./common";
 import type { Rule, Ruleset } from "./rule";
-import type { PermissionState } from "./types";
+import type { FlatPermissionConfig } from "./types";
 
 /**
- * Subset of UnifiedPermissionConfig covering only policy fields.
- * Used as the input shape for normalizeConfig().
- */
-export interface NormalizableConfig {
-  tools?: Record<string, PermissionState>;
-  bash?: Record<string, PermissionState>;
-  mcp?: Record<string, PermissionState>;
-  skills?: Record<string, PermissionState>;
-  special?: Record<string, PermissionState>;
-}
-
-/**
- * Keys in the `tools` map that serve as fallback defaults for their
- * respective pattern-based surfaces rather than as tool-level rules.
- *
- * `tools.bash` sets the bash default (fallback when no bash pattern matches).
- * `tools.mcp` sets the tool-level MCP fallback.
+ * Convert a flat permission config into a Ruleset.
  *
- * These are NOT normalized into the Ruleset — they are extracted by the
- * caller and handled as separate fallbacks to preserve the semantic that
- * specific bash/mcp patterns always have priority.
- */
-export const TOOL_SURFACE_OVERRIDE_KEYS: ReadonlySet<string> = new Set([
-  "bash",
-  "mcp",
-]);
-
-/**
- * Convert the on-disk config shape into a flat Ruleset.
+ * Each key is a surface name. A string value is shorthand for
+ * `{ "*": action }`. An object value maps patterns to actions.
+ * Invalid action values are silently skipped.
  *
- * Ordering within a scope:
- * 1. tools entries (tool-name-as-surface, pattern "*") — excluding bash/mcp
- * 2. bash entries (surface "bash", pattern = command glob)
- * 3. mcp entries (surface "mcp", pattern = target glob)
- * 4. skills entries (surface "skill", pattern = skill glob)
- * 5. special entries (surface "special", pattern = key name)
- *
- * `tools.bash` and `tools.mcp` are excluded — see TOOL_SURFACE_OVERRIDE_KEYS.
- * `defaultPolicy` is NOT included — handled separately by the caller.
+ * The universal fallback key `"*"` is included if present — callers
+ * that use `"*"` only for `synthesizeDefaults()` should strip it before
+ * calling this function.
  */
-export function normalizeConfig(config: NormalizableConfig): Ruleset {
+export function normalizeFlatConfig(permission: FlatPermissionConfig): Ruleset {
   const rules: Rule[] = [];
-
-  for (const [name, action] of Object.entries(config.tools ?? {})) {
-    if (TOOL_SURFACE_OVERRIDE_KEYS.has(name)) continue;
-    rules.push({ surface: name, pattern: "*", action });
+  for (const [surface, value] of Object.entries(permission)) {
+    if (typeof value === "string") {
+      if (isPermissionState(value)) {
+        rules.push({ surface, pattern: "*", action: value });
+      }
+    } else if (typeof value === "object" && value !== null) {
+      for (const [pattern, action] of Object.entries(value)) {
+        if (isPermissionState(action)) {
+          rules.push({ surface, pattern, action });
+        }
+      }
+    }
   }
-
-  for (const [pattern, action] of Object.entries(config.bash ?? {})) {
-    rules.push({ surface: "bash", pattern, action });
-  }
-
-  for (const [pattern, action] of Object.entries(config.mcp ?? {})) {
-    rules.push({ surface: "mcp", pattern, action });
-  }
-
-  for (const [pattern, action] of Object.entries(config.skills ?? {})) {
-    rules.push({ surface: "skill", pattern, action });
-  }
-
-  for (const [name, action] of Object.entries(config.special ?? {})) {
-    rules.push({ surface: "special", pattern: name, action });
-  }
-
   return rules;
 }